Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
The upcoming SEC breach disclosure rules give security executives an opportunity to connect security issues to the board’s risk oversight and strategic leadership responsibilities. This can contextualize security in terms of revenues and profits,
shifting infosec from an “IT problem” to an “enterprise risk management matter” to a “core part of business strategy.”
This piece explains how progressing on this journey requires proactive compliance with emerging regulations like the pending SEC cyber disclosure rules, whether your organization is public or private.
Whether your business is one of the 6,000+ publicly listed companies that will be required to comply with the upcoming SEC cyber breach disclosure rules or is a private organization, the
rules create an opportunity to elevate cyber’s role in the business.
While private companies are not directly subject to SEC registration, reporting and disclosure requirements, these same companies are increasingly targeted by adversarial threat sources and subject to the same accidental, structural and environmental
threat sources that public companies face. Effective governance at all levels of the business is critical.
Getting one’s cyber-risk management ducks in a row is not just for SEC-regulated companies. Instead of approaching the rules as an increased compliance burden, treat them as a guide to developing more sophisticated governance and risk management
capabilities with leadership. These rules provide business-focused ammunition to get security buy-in from the management team and board.
The specific proposed changes in the SEC rulemaking are:
The first two requirements are about timely reporting, and in the case of Form 8-Ks, they must be filed within four days of a material cyber event. Organizations should get used to increasingly tighter reporting time frames, especially given similar existing
and emerging requirements in NYDFS, GDPR, CIRCIA, DFARS/CMMC, NCUA, etc.
Regarding disclosure of “Risk Management, Strategy and Governance Regarding Cybersecurity Risks,” risk oversight is one of the top three responsibilities of a board of directors, along with strategy and leadership. Disclosing information about
risk and risk management oversight is not new to public company boards. Public company boards have had to disclose their role in overall risk oversight since Feb. 28, 2010, according to an SEC final rule, Proxy Disclosure Requirements. As another
specific example of risk-related disclosure, audit committees of New York Stock Exchange-listed companies must disclose policies concerning risk assessment and risk management. Private companies should follow suit and establish, implement and mature
an enterprise cyber-risk management (ECRM) program and resultant cybersecurity strategy.
And finally, independent of disclosure requirements, all boards of all organizations should have access to or add cybersecurity expertise to their boards,
given the existential risks that cyber threats now present to all businesses in all industries. As a profession, cybersecurity is immature compared to the more mature taxonomy of knowledge, skills, abilities and certifications in finance and accounting.
A “skills matrix” for someone with “cybersecurity expertise” would include broader attributes, rather than cyber certifications, to avoid onboarding a single-purpose director and instead, find someone who can contribute to
fulfilling other board oversight responsibilities.
Complying with all or any of the SEC requirements should mean a refreshed board agenda that includes risk-based, business-enabling topics such as: 1) Your Top Risks and Treatment; 2) Advancement in Your Program/Strategy Development; and 3) Ongoing Board
Complying with the upcoming SEC rules as a private business is a strategic decision, requiring leadership buy-in. Doing so can advance your security program, but you need to make a business case to get the cross-functional cooperation you need to strengthen
governance and risk management. These issues can drive the conversations you need to have to get the cooperation you need:
Once you have buy-in on applying the SEC rules to your business, it’s time to have practical conversations about how to comply. Here are several starter questions about complying with the proposed SEC cyber disclosure changes, whether your company
is public or private:
Your enterprise cyber-risk management program and cybersecurity strategy can support your strategic business objectives and growth. If we’ve reached the board by connecting to their risk oversight responsibilities, we can better connect on one of
their other top three responsibilities—strategy—which is usually about growing revenues and profits. Pivoting from an “IT problem” to an “enterprise risk management matter” to a “core part of business strategy”
requires proactive compliance with emerging regulations, like the pending SEC cyber disclosure rules, whether your organization is public or private.
On boards lacking cyber understanding CISOs appear to be logical candidates to fill this gap. However, CISO board readiness varies widely to serve as effective board members.
Download our CISOs as Board Directors, CISO Board Readiness Report to access research-backed findings
on the 5 key traits of cyber board directors.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.